gpt4 book ai didi

amazon-web-services - 如何使用 Elastic Beanstalk 加密负载均衡器和 Web 服务器之间的流量

转载 作者:行者123 更新时间:2023-12-04 22:35:58 28 4
gpt4 key购买 nike

我想在 Elastic Beanstalk 环境中加密我的负载均衡器和 Web 服务器之间的流量。亚马逊在这里有一个指南:https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html但它涉及为您的服务器手动生成证书。是否有全自动替代方案?

最佳答案

如果您让服务器生成自己的自签名证书作为部署容器命令的一部分,那么每次部署和启动新服务器时,每个服务器都会获得更新的证书。

我找到的最好的命令如下,它创建有效期为 10 年的证书:

sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/pki/tls/certs/server.key -out /etc/pki/tls/certs/server.crt -days 3650 -nodes -subj "/CN=example.com"

使用这种方法,只要您至少每十年部署一次(包括升级您的 EB 容器版本),您的服务器就会保持正常运行。

这也大大简化了设置。现在您需要做的就是:

  1. 将配置文件添加到您的弹性 beanstalk 项目,该项目生成自签名证书并将 HTTPS 设置添加到网络服务器。
  2. 让 Web 服务器安全组接受来自负载均衡器安全组的端口 443 连接。
  3. 将您的负载均衡器设置为将流量从端口 443 转发到端口 443。

下面是 python 的完整 HTTPS 弹性 beanstalk 配置文件的示例。这是对 AWS's suggested config file for python 的轻微修改。 .我已将生成证书命令添加到容器命令的开头,并删除了 /etc/pki/tls/certs/server.crt/etc/pki/tls 的两个文件语句/certs/server.key 因为它们现在是自动生成的。 AWS examples for other languages can be found here .

AWS Linux 2,基于 Apache 的部署

将以下内容放入 .ebextensions/ssl.config:

container_commands:
01_create_certs:
command: |
sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/pki/tls/certs/server.key -out /etc/pki/tls/certs/server.crt -days 3650 -nodes -subj "/CN=example.com"
02_restart_httpd:
command: |
# Condition on whether httpd is running for compatibility with EB worker environments
sudo systemctl status httpd && sudo systemctl restart httpd || echo "httpd not running"
03_wait_for_httpd_restart:
command: "sleep 3"

将以下内容放入 .platform/httpd/conf.d/ssl.conf:

Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
# Limit requests to 100 MB
LimitRequestBody 104857600

<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://localhost:8000/ retry=0
ProxyPassReverse / http://localhost:8000/
ProxyPreserveHost on
</VirtualHost>

AWS Linux 1,基于 Apache 的部署

将以下内容放入 .ebextensions/ssl.config:

packages:
yum:
mod24_ssl : []

files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /opt/python/run/baselinenv
WSGISocketPrefix run/wsgi
WSGIRestrictEmbedded On
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"

Alias /static/ /opt/python/current/app/static/
<Directory /opt/python/current/app/static>
Order allow,deny
Allow from all
</Directory>

WSGIScriptAlias / /opt/python/current/app/application.py

<Directory /opt/python/current/app>
Require all granted
</Directory>

WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
python-path=/opt/python/current/app \
python-home=/opt/python/run/venv \
home=/opt/python/current/app \
user=wsgi \
group=wsgi
WSGIProcessGroup wsgi-ssl

</VirtualHost>

container_commands:
01_create_certs:
command: |
sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/pki/tls/certs/server.key -out /etc/pki/tls/certs/server.crt -days 3650 -nodes -subj "/CN=example.com"
02_kill_httpd:
command: "sudo restart supervisord"
03_wait_for_httpd_death:
command: "sleep 3"

关于amazon-web-services - 如何使用 Elastic Beanstalk 加密负载均衡器和 Web 服务器之间的流量,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60854718/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com